CVE-2026-12060

Vulnerability

Heptabase versions prior to 1.90.2 contain an exposed dangerous method or function vulnerability [1][2]. This flaw allows an unauthenticated remote attacker to craft a malicious webpage that, when opened or loaded within the Heptabase application, triggers unauthorized access to the device's camera and microphone. The vulnerability resides in the application's handling of external content and requires the victim to interact with the malicious page inside Heptabase.

Exploitation

An attacker does not need authentication or prior access to the target system. The exploitation relies on social engineering to convince the victim to open or load a specially crafted webpage within the Heptabase application. Once the victim loads the malicious page, the exposed dangerous method is invoked, granting the attacker control over the camera and microphone permissions without further user consent [1][2].

Impact

Successful exploitation allows the attacker to gain unauthorized access to the victim's camera and microphone. This compromises the confidentiality of audio and video data, potentially enabling surveillance or eavesdropping. The impact is limited to information disclosure (confidentiality) with no effect on integrity or availability, as reflected by the CVSS vector [1][2].

Mitigation

The vendor has released a fix in Heptabase version 1.90.2 [1][2]. Users should update to this version or later to remediate the vulnerability. No workarounds are documented in the available references.